Refactoring programs to secure information flows

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Refactoring programs to secure information flows

Full text

Pdf (145 KB)

Source

Conference on Programming Language Design and Implementation archive
Proceedings of the 2006 workshop on Programming languages and analysis for security table of contents

Ottawa, Ontario, Canada

SESSION: Secure information flow table of contents

Pages: 75 - 84

Year of Publication: 2006

ISBN:1-59593-374-3

Authors

Scott F. Smith	The Johns Hopkins University
Mark Thober	The Johns Hopkins University

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 4, Downloads (12 Months): 62, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1134744.1134758 What is a DOI?

ABSTRACT

Adding a sound information flow security policy to an existing program is a difficult task that requires major analysis of andchanges to the program. In this paper we show how refactoring programs into distinct components of high and low security is a useful methodology to aid in the production of programs with sound information flow policies. Our methodology proceeds as follows. Given a program with no information flow controls, a program sliceris used to identify code that depends on high security inputs. High security code so identified is then refactored into a separate component, which may be accessed by the low security component via public method calls. A security policy that labels input data and checks the output points can then enforce the desired end-to-end security property. Controlled information releases can occur at explicit declassification points if deemed safe. The result is a well-engineered program with explicit interfaces between components of different security levels.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi , Anindya Banerjee , Nevin Heintze , Jon G. Riecke, A core calculus of dependency, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.147-160, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292555]
	2	Torben Amtoft and Anindya Banerjee. A logic for information flow analysis with an application to forward slicing of simple imperative programs. Science of Computer Programming. To appear.
	3	Anindya Banerjee and David Naumann. Using access control for secure information flow in a java-like language. In Proc. IEEE Computer Security Foundations Workshop CSFW, pages 155--169. IEEE Computer Society Press, 2003., 2003.
	4	David E. Bell and Leonard J. LaPadula. Secure computer system: Unified exposition and multics interpretation. Technical Report MTR-2997, The MITRE Corporation, Bedford, MA, 1975.
	5	David Brumley and Dawn Song. Privtrans: Automatically partitioning programs for privilege separation. In Proceedings of the 13th USENIX Security Symposium, August 2004.
	6	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	7	Frank W. Calliss, Problems with automatic restructurers, ACM SIGPLAN Notices, v.23 n.3, p.13-21, March 1988 [doi>10.1145/43895.43897]
	8	Mike Downen. Find out what's new with code access security in the .net framework 2.0. http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/, November 2005.
	9	Joseph A. Goguen and José Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11--20, 1982.
	10	GrammaTech, Inc. Codesurfer. http://www.grammatech.com/products/codesurfer/index.html.
	11	Christian Hammer, Jens Krinke, and Gregor Snelting. Information flow control for java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, 2006.
	12	Nevin Heintze , Jon G. Riecke, The SLam calculus: programming with secrecy and integrity, Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.365-377, January 19-21, 1998, San Diego, California, United States [doi>10.1145/268946.268976]
	13	Peng Li , Steve Zdancewic, Downgrading policies and relaxed noninterference, Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.158-170, January 12-14, 2005, Long Beach, California, USA
	14	Tom Mens , Tom Tourwé, A Survey of Software Refactoring, IEEE Transactions on Software Engineering, v.30 n.2, p.126-139, February 2004 [doi>10.1109/TSE.2004.1265817]
	15	Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292561]
	16	Andrew C. Myers , Barbara Liskov, A decentralized model for information flow control, Proceedings of the sixteenth ACM symposium on Operating systems principles, p.129-142, October 05-08, 1997, Saint Malo, France
	17	François Pottier , Vincent Simonet, Information flow inference for ML, Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.319-330, January 16-18, 2002, Portland, Oregon
	18	Niels Provos, Markus Friedl, and Peter Honeyman. Preventing privilege escalation. In 12th USENIX Security Symposium, Washington, DC, August 2003.
	19	Venkatesh Prasad Ranganath, Torben Amtoft, Anindya Banerjee, Matthew B. Dwyer, and John Hatcliff. Indus. http://indus.projects.cis.ksu.edu/.
	20	Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. IEEE Jounal on Selected Areas in Communications, 21(1), January 2003.
	21	Scott F. Smith and Mark Thober. Securing data at Java IO boundaries. http://www.cs.jhu.edu/~mthober/securingdata06.pdf. Draft.
	22	Gregor Snelting, Torsten Robschink, and Jens Krinke. Efficient path conditions in dependence graphs for software safety analysis. ACM Transactions on Software Engineering and Methodology. To appear.
	23	Sun Microsystems, Inc. Security code guidelines. http://java.sun.com/security/seccodeguide.html, February 2000.
	24	Clemens Szyperski, Component software: beyond object-oriented programming, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1998
	25	Frank Tip. A survey of program slicing techniques. Journal of programming languages, 3:121--189, 1995.
	26	Lance Tokuda , Don Batory, Evolving Object-Oriented Designs with Refactorings, Automated Software Engineering, v.8 n.1, p.89-120, January 2001 [doi>10.1023/A:1008715808855 ]
	27	Mathieu Verbaere. Program slicing for refactoring, 2003. MSc thesis, University of Oxford.
	28	Dennis M. Volpano , Geoffrey Smith, A Type-Based Approach to Program Security, Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development, p.607-621, April 14-18, 1997
	29	Mark Weiser. Program slicing. IEEE Trans. Softw. Eng., 10(4):352--357, July 1984.
	30	Tatu Ylonen. Ssh client program, 1995.
	31	Tatu Ylonen. Ssh manpage, Nov. 8 1995.